2026 Privacy Laws Alert: Avoid Getting Sued – What Brands Must Do TODAY — Richart Ruddie | Why Privacy Lawsuits Are Rising, Why Pixels & Trackers Cause Risk, Why Many Cookie Banners Fail, What A Privacy Lawsuit Looks Like, How To Protect Your Brand (#459)

Show Notes

In this episode, we explore the rising threat of privacy lawsuits hitting e-commerce and CPG brands. 

Richart Ruddie, Founder of Captain Compliance, explains how new legal technologies are helping attorneys target smaller businesses for tracking pixel violations. 

He shares how brands can protect themselves by automating compliance, fixing broken consent banners, and staying ahead of rapidly changing state and federal laws to avoid massive legal fees.

Topics discussed in this episode:  

• Why privacy lawsuits target CPG brands. 
• How AI tech speeds up legal claims. 
• What tracking pixels cause the most risk. 
• Why common consent banners often fail. 
• How session replay tools invite litigation. 
• What 20 state laws mean for merchants. 
• Why blocking EU traffic isn't enough. 
• How automated portals handle data requests. 
• What litigation protection shields offer. 
  
  

Links & Resources 

Website: https://captaincompliance.com
LinkedIn: https://www.linkedin.com/in/richartruddie/
YouTube: https://www.youtube.com/@captain-compliance

Get access to more free resources by visiting the show notes at https://tinyurl.com/mv6f5jj2

______________________________________________________

LOVE THE SHOW? HERE ARE THE NEXT STEPS!

Follow the podcast to get every bonus episode. Tap follow now and don’t miss out!

Rate & Review: Help others discover the show by rating the show on Apple Podcasts at https://tinyurl.com/ecb-apple-podcasts

Join our Free Newsletter: https://newsletter.ecommercecoffeebreak.com/

Support The Show On Patreon: https://www.patreon.com/EcommerceCoffeeBreak

Partner with us: https://ecommercecoffeebreak.com/partner-with-us/

Transcript

00:00:00:01 - 00:00:21:04
Unknown
It's no different than what's happening online When you're on a website, they're watching what you're typing, where you're scrolling on the screen, when you put it privacy in that perspective. And a lot of the plaintiffs attorneys are putting that perspective into the judge's mind. The judges are ruling against a lot of these companies, and they're losing because technically they are violating people's privacy if they're not providing proper insight and disclosure.

00:00:21:06 - 00:00:46:18
Unknown
How does a real privacy lawsuit look like? How scary can it get? So I just mention the one. Hello and welcome to another episode of the E-commerce Coffee Break podcast. Privacy lawsuits are not longer a problem for just for big corporates, then hitting CPG brands, Shopify stores and fast growing DTC business every day. Old laws are being used in new ways and many merchants don't see it coming.

00:00:46:19 - 00:01:15:03
Unknown
One overlooked tracking pixel, one missing content, and suddenly you're facing massive legal bills from this lawsuit is us. Today we're breaking down why this is happening, how the real risk actually is, and what smart e-commerce operators can do to protect themselves. Joining me to unpack all of this is Richart Ruddie. He is a serial entrepreneur and founder of Captain Compliance, a fast growing data privacy software solution that helps CPG and e-commerce brands automate compliance and fight back against the Asian risks.

00:01:15:05 - 00:01:35:20
Unknown
Richard, great to have you on the show. Thank you. Amazing opening. Let's dive into it. Why are privacy lawsuits hitting CPG and e-commerce brands right now? So I think if you look back to when GDPR, which is Europe's privacy law, when that came out, it was really targeting more so big tech and that's who took it seriously where the smaller businesses did did not.

00:01:35:22 - 00:02:06:09
Unknown
Now we've evolved and we've seen so much happened in both tracking technologies, ADTECH and litigation for the big names. You've seen multibillion dollar fines doled out to media, to Microsoft and these bigger brands. Tick tock as well as paid big dollars. Now it's filtered down to the plaintiffs attorneys have realized, especially here in America, like, wait a second, I can go after businesses and I can collect money for privacy violations on behalf of consumers.

00:02:06:15 - 00:02:25:14
Unknown
So that's one trend that's that's really picking up, because to fight Google or to fight in these big tech companies is going to cost a lot of legal legal bills and take years where the plaintiffs attorneys have figured out that they can go after CPG companies and they can get kind of more like ambulance chaser kind of quick Hits.

00:02:25:16 - 00:03:00:21
Unknown
And and it's a big coming up profit center And the rise of legal tech, especially AI. Legal tech is making it easier and easier for these plaintiffs firms to both identify violations and to send out mass violation demand letters and arbitration demands and file lawsuits in mass, where it would have taken a lot longer in the past. So all of these things are converging now, and I think 2026, in my opinion, is going to be the biggest year that we're seeing in terms of privacy lawsuits filed, demand letters, and it's only ramping up and we've seen it even in the very beginning of the year.

00:03:00:23 - 00:03:22:22
Unknown
Already had a client where normally we would see a 45, $50,000 demands off the bat. Now it's grown to $900,000. And companies discovering like, we need to get on this and fix this right away. It's the right we should have. We heard your we heard your webinar. We heard the warning sign. We didn't do anything. And now it's going to cost us a few hundred thousand dollars.

00:03:23:00 - 00:03:43:07
Unknown
Now we want to jump on it. Mm hmm. I think it's very important that you say this has become a real problem for brands out there. And just to highlight how complicated it is, you mentioned for Europe is GDPR, which in itself is complicated enough. But for the U.S., there are many, many more privacy laws today. Talking through it, how many are there and how do they apply to brands?

00:03:43:09 - 00:04:14:20
Unknown
Yeah, so, so globally there's over 144 different privacy laws. GDPR is so complicated that even the EU regulation body has fine themselves for a violation. So they said even we are not immune, right? Even we can have slip ups. So it just shows you the complication there. The the US is very interesting. So any of your audience, that's listening know that there are 20 state privacy laws and each of those have different thresholds and requirements to comply with.

00:04:15:02 - 00:04:37:06
Unknown
But that's not what most of the plaintiffs firms are going after. They're finding everything from unfair competition to one called the Call for an Invasion of Privacy Act to another federal law called the Electronic Communications Privacy Act. And they're getting very creative in the ways that they're saying and finding violations, and they're finding ones where they can use consumers.

00:04:37:06 - 00:05:02:01
Unknown
And ironically, they're running ads on the Facebook Instagram to recruit consumers and plaintiffs to go ahead and then file these claims. So and the claims are usually, hey, you're writing retargeting and you're running advertising through Facebook and Instagram, and yet this is what we're going to come after. You for. So that's been definitely one of the big trends that we're seeing and noticing.

00:05:02:03 - 00:05:21:15
Unknown
It's pretty scary, me being a marketer and all our listeners out there probably using their ads, Google ads and not aware of this. Let's dive into a little bit of what kind of tools or which kinds of things you use on your website, cause the most trouble is at Pixel. It's this is analytics, this is chats, what's what's most commonly the problem there.

00:05:21:20 - 00:05:40:20
Unknown
We actually have a list of heavily litigated pixels and cookies and trackers. Ad targeting technology is going to be at the top of that list you mentioned. Matter of pixels is a big one, but we're also seeing that again, the law firms are being so industrious, they're being so creative that they're coming up with not just one or two, they're going through a whole list.

00:05:40:20 - 00:06:22:23
Unknown
So we've seen LinkedIn insights tag, we've seen Tick Tock, we've seen Google Analytics being claimed that that's transferring data. CFPA, which is California's law, has a special provision that if there's a data breach, then you can have a private right of action, meaning any individual can go ahead and sue you. So now we've seen in one of the cases that the judge has ruled that the meta pixel has exfiltrated and shared data, and they're concerned that a data breach so so matter is usually the number one because it's on millions of websites, but going down to even smaller and more nuanced tracking and ad targeting technologies ad ADM's another one that we saw pop up

00:06:22:23 - 00:06:46:20
Unknown
recently and then on the session replay side. So if you're using a something like a Hotjar Microsoft clarity, any of those tools, those are also really important to make sure that you have proper disclosures. So those are the biggest ones. Anything that's watching, watching how you're moving around on a screen and the way I like to describe it from the viewpoint of, say, like a Tim Cook from Apple says you wouldn't be comfortable.

00:06:46:20 - 00:07:06:22
Unknown
Somebody was leaning over your shoulder watching everything you're typing on your computer, everything you're typing in your phone, every text message, right? Or it's no different than what's happening online. When you're on a website, they're watching what you're typing, where you're scrolling on the screen. So when you put it privacy in that perspective and a lot of the plaintiffs attorneys are putting that perspective into the judges minds.

00:07:07:04 - 00:07:34:20
Unknown
The judges are ruling against a lot of these companies, and they're losing because technically they are violating people's privacy if they're not providing proper consent and disclosure. Mm hmm. How does a real privacy lawsuit look like for a brand? What steps are involved? How scary can it get? So I just mentioned the one with $900,000 in claims. That's because we're using a handful of different trackers and they're adding statutory damages for each one.

00:07:34:22 - 00:07:55:18
Unknown
There are others that we've seen a company in the telehealth space that got hit with a $5 million class action lawsuit last year. After speaking with us, we said, you should definitely do something. They said, Oh, we'll get to it. They didn't. And then then they messaged me actually in the middle of the night saying, How do you protect against pixel litigation?

00:07:55:18 - 00:08:15:11
Unknown
I'm like, That's exactly what we've been saying. That's what we were created to do. And they said, Well, it might be too late, but we have this $5 billion class action lawsuit. So the lawsuits tend to be pretty scary in most cases. There is even one individual who is doing what's called pro, say, compliance, meaning he's filing as an individual without a law firm.

00:08:15:13 - 00:08:32:03
Unknown
And again, I believe he's using some sort of A.I. tech because he's sending out mass. But usually they'll have the look at your terms of service. We'll see if you have some sort of arbitration demand or clause in there. If there is an arbitration clause, then they try to force you into an arbitration. So then you've got to hire an attorney.

00:08:32:03 - 00:08:51:08
Unknown
Then you have to hire and pay for the arbitration fees. So they know right off the bat it's going to cost you a few thousand dollars there. And then they try to look really scary. So they'll say how they've invaded and you surreptitiously have sold and shared their data and their personal information without their permission, that it's being shared with all these other sites.

00:08:51:08 - 00:09:14:20
Unknown
And then they actually show proof. There's actually tools that they have used, like a get request and a hard file. And it'll actually show here's the documentation of the data of the plaintiff being shared. So it's not really a way to say, hey, I didn't do it because they did. So they make it look scary. Right? And they know they know what they're doing.

00:09:14:20 - 00:09:36:14
Unknown
They're getting more and more sophisticated. If anybody here listening has dealt with an ADA or compliance lawsuit, then you know that privacy. Is this a bigger version of that? Because there's only a certain percentage of the population that has some sort of disability coming to your website. But there's a much larger database of people that are considered data subjects, which is any individual.

00:09:36:14 - 00:10:02:16
Unknown
So you as a data subject, if you're a resident of Spain, then you actually have rights against websites in the US that they're accepting your traffic. So that's why if anybody's listening to you and you actually go to a website, that's a news site, for example, in the US, most news websites are actually blocking EU traffic because they, they just can't there's no way that they can be compliant and they know it, so they just block all EU traffic.

00:10:02:16 - 00:10:23:19
Unknown
But most business owners are not blocking any EU traffic, so technically they'd be at risk as well. And if there was a private right of action from GDPR, then that would be a whole nother explosion in profit center that the EU regulatory body would be able to to capitalize on. Hmm. Now it's a really scary situation. I have been in a similar situation more than 20 years ago since then.

00:10:23:19 - 00:10:42:06
Unknown
I'm clean. So and as I said to you, get a very scary letter and you might have some sleepless nights. And for our listeners have never been there, tried to avoid this in the first place, even if that's just scaremongering. And actually it's not that bad. But you don't want to have this in your business. Now, Richard, obviously you found a solution was kept in compliance there, so you were helping.

00:10:42:06 - 00:11:01:14
Unknown
Was this tell me, how do you help brands in getting not in a bad situation in the first place? Yeah, and we want everybody to be proactive. Not everybody listens. Even a couple of weeks ago, we had one that said, I heard your webinar, I heard the warning signs. We told our I.T and staff team. They said, Oh yeah, we fixed it.

00:11:01:14 - 00:11:26:18
Unknown
Well, guess what? They didn't properly thinks so. So again, it's when the situation they call, I would say about 90% of privacy software out there is not properly configured or doesn't work and that's created great opportunity. I was speaking with a privacy defense attorney yesterday and he told me how there's some serious class actions going on in firms that know that these banners don't work.

00:11:26:20 - 00:11:46:16
Unknown
They'll look at a banner and they go, they experience, record and say, Hey, look, we decline all and everything was still firing, going off like caught red handed. And these companies are paying out some pretty big dollars. And it's considered dark patterns, which also that and we talked about how the plaintiffs attorneys also you have to now worry about the FTC here in the US and other regulatory bodies that are saying this.

00:11:46:16 - 00:12:11:21
Unknown
So we've created capping compliance to be a full service privacy software suite where we provide everything from a cookie consent banner that actually works. We handle the integration for clients as long as they let us, and we'd like to test and make sure that it's doing as it's supposed to. We are very proactive where we're consistently looking for any new tech that's added to the site and then classifying it appropriately.

00:12:11:21 - 00:12:30:10
Unknown
So being proactive is a really important part of what we do. We also have a dynamic cookie policy, so we'll scan a site and we'll update the whole library of any sort of tech on there and have a public audit. So we have a client who is actually there running Taboola. Again, we were talking about Facebook, we were talking about Google, Tick tock.

00:12:30:10 - 00:12:52:02
Unknown
We didn't even talk about Taboola. Taboola is another one. These random ads ad campaign softwares that you can run and they were running taboola and they got hit with one of these privacy claims. But because they were using our software, we were able to get the case dismissed almost instantly. So having like a public audit has been really helpful.

00:12:52:04 - 00:13:25:21
Unknown
What's running on the site? And then we also have what's called a data subject access request portal. So different states and especially the EU and GDPR give users data subject rights where you can request your information. It's a growing field and one of the reasons it's growing is there's some savvy software companies, ones called Privacy Hawk. And what they've done is they've commoditized the ability to go through your actual email inbox and see everywhere you're subscribed to, and then they give you a click once and then tell us you want to opt out.

00:13:25:21 - 00:13:50:06
Unknown
And then then those removal requests. So as those are ramping up more and more, these data subject requests are going out. If you don't comply with those and you ignore it, then you're subject to 70 $500 fine in most jurisdictions. So that's creating other issues. So we've had figured out a way to not only help ingest those, but if the clients want, we can completely automate those requests and the handling of those.

00:13:50:08 - 00:14:14:11
Unknown
And then finally, we have a privacy policy software. So as new legal requirements, the laws come out, which just this month we've had three new laws that have come out, we are automatically and proactively for all of our clients who have opted in to update these privacy notices and add specific supplements. So say Indiana, Rhode Island, Kentucky in the USA have come out with new privacy laws and requirements.

00:14:14:11 - 00:14:41:15
Unknown
Anybody you're targeting, consumers in those states have to have specific supplements. So we're able to automatically update those. And the Oregon state attorney general said at a recent privacy conference that they were not okay with states, with websites having only California as a state, having a separate privacy notice that they want to see Oregon having the same rights and they're going to start being proactive, coming after businesses that don't respect Oregon user's rights.

00:14:41:15 - 00:15:10:14
Unknown
So our job is to find out all these sort of nuances and edge cases and then protect against it to protect our clients. And as far as I know, we're the only ones with what we've come out with called compliance shield. So we actually have litigation protection where we'll back and put our money where our mouth is. If you get a claim or a privacy violation, you're using our software with the proper settings that will we'll take care of the the defense of the case.

00:15:10:16 - 00:15:33:20
Unknown
So it's good. Clients love to say no, you actually believe in your product. We're like, yeah, that's that's why we're here. And I think you just gave a good insight how complicated this whole topic is. There's nothing that you can just read up into it by yourself. It's far too complicated for this. Now, when you're brand new or just coming new to this topic, what's the very first step you should take?

00:15:34:02 - 00:15:58:06
Unknown
Is it an audit? How do you evaluate your risk level? Yeah, we actually love doing these free privacy audits, so if anybody is interested, we do a free privacy audit. We'll go through the website, we'll see what what's missing, what you do have, what's working, what's not working. And you may be shocked how many people say, Oh yeah, we don't even we had one the other day, We don't even use Tik tok, We don't even do this.

00:15:58:06 - 00:16:14:18
Unknown
And we're like, Well, here in our scan, right? We see that you are using Tik tok. And they said, Oh, our old agency set that up. And then what's happening is some of these firms and CPG companies, as they get in trouble, they're going after their ad agencies and saying, Oh, the ad agency added this, so they should be the ones that are liable.

00:16:14:20 - 00:16:41:20
Unknown
So the first thing is doing a privacy audit, always checking to say what's running on the website. Do you have a privacy policy? What's notated in it? What was it last updated? Is it relevant? We've had clients who've come to us and said we have this privacy policy. Is it good? I'm like, Well, I'm looking at it. It's saying that you don't have any cookies, no tracking technology, but if you do add anything that you'll surely update everybody who's reading who's ever been to your website.

00:16:41:20 - 00:17:00:18
Unknown
I said, Do you update everybody? They said, No. I said, Did you just copy and paste this from another website and not even look at it? So that's what's happening a lot. And then it's important to be proactive. So like you can use an alarm to create maybe a baseline privacy notice, but you've got to continuously update it.

00:17:00:18 - 00:17:25:02
Unknown
And as these new laws come out and if you have text messaging you're doing, if you're doing email marketing, there's all these new litigation things happening and trends. So it's important to include and continuously update and kind of roll with the punches as these new edge cases continue to come out. And that's one of the things that's made our job really exciting and really complicated for everybody else, where they're like, we just we can handle this.

00:17:25:02 - 00:17:43:22
Unknown
Like, thank goodness for a service like yours. Walk me through the typical onboarding process of a new client. What steps are involved? How long does it take to get up and running? Yeah, definitely. So it's always going to depend on the complexity of their systems, how many websites they have. We usually suggest that they use all the modules that we offer.

00:17:44:00 - 00:18:13:15
Unknown
It starts usually with a scan of the website, seeing what the deficiencies are and what they need. And then we build out and we classify all their different technologies. We do have a library of a few hundred thousand different cookies and tracking technologies that we've built. So so a lot of that work luckily is done upfront because we've been working on this and we've had so many different websites with so many different tracking tech that we've been able to ingest and identify a lot of these technology and tools.

00:18:13:17 - 00:18:41:19
Unknown
But on a lot of times we'll end up with these random cookies or pixels that are only on one site because they have some sort of specific notation or purpose there. But the first part is classifying identifying what's on the site. We would build out both our dynamic cookie policy for them and the consent banner logic. We prefer to use a tag manager, Google Tag Managers, one of the most commonly used, and we use that to order the different tags and firing order.

00:18:41:21 - 00:19:04:09
Unknown
It depends on the locations of some of these in the EU, and GDPR doesn't allow them to fire cookies and act right off the bat. They have to get consent to opt in. The US is in a different model, so with the US you can have those things turned on by default if the client wants. So we go through kind of what the risks and what the laws are and then we integrate with that.

00:19:04:09 - 00:19:29:06
Unknown
We can do it within a day. We help them build out their privacy notice based on their privacy practices. Some clients are very proactive and are ready to go right off the bat. Some need time, some need to bring in extra legal. So it definitely varies by client. But I would say the CPG clients tend to be actually some of the easiest ones that we see on board, and that's because a lot of them are the founders are very active.

00:19:29:06 - 00:19:50:19
Unknown
They have smart marketing teams that are there and and they're just they're good about being proactive where some of the larger enterprises have more moving parts and they take a little bit longer to want to do the onboarding. But yeah, so I could say it typically within a day or so, we're building out a Shopify plug in that's that's about to go go live because we've had so many requests and clients that have Shopify.

00:19:50:21 - 00:20:14:04
Unknown
And then once we're more onboarded, testing is very important. So going through the website, going through it, making sure everything's working, acting properly, and then we continuously update and do all of our work in the background behind the scenes. Mm hmm. A lot of our listeners are running Shopify stores. They will be very happy to hear that. Now it can be very complex, as you mentioned, but is there a general guideline in regards to your pricing structure?

00:20:14:04 - 00:20:42:06
Unknown
How do you charge? Yeah, so we try to be flat pricing. Our pricing starts at 449. There are times where the clients have multiple websites. Sometimes it's just a basic subdomain, sometimes it's a little more more complicated, but usually that tends to be our baseline pricing. And then obviously they're buying multiple websites that we do work for a lot of agencies and the on board multiple websites and with bulk bulk purchasing price obviously can go down.

00:20:42:08 - 00:21:02:21
Unknown
But yeah, and we try to be very transparent. There are some of those vendors that I mentioned where the pricing or the products don't actually work and they have very nontransparent pricing. And in those they'll say usage based. And you think you're getting it and it's cheap. And then also they get hit with some huge bill or bigger deal or everything.

00:21:02:21 - 00:21:28:07
Unknown
So we try to be very flexible. I come from a startup background. I'm a I'm a founder, like a lot of these CPG brands are founder LED still, So I empathize with them and I'm glad to work with them and just being flexible and working on on their terms and so forth. Very quickly, Richard, as we would limit its own time today before a coffee break comes to an end, is there anything you want to share with our listeners that we haven't covered yet?

00:21:28:09 - 00:21:53:06
Unknown
Just if anybody is interested or curious or you think that you are covered with the privacy laws, don't just think that like confirm. It's really important because I'd hate to have another one of these where I heard your podcast or we were attending one of your educational webinars and our IT person said, Yeah, we're good. And then we got hit with one of these suits and it costs us hundreds of thousands of dollars that we didn't need to spend.

00:21:53:08 - 00:22:10:11
Unknown
We'd much rather do an audit for you and help and disclose and help you figure out what the risks are. So I think that's really important. And I think just being transparent and being open like there are big risks out there, it's good to have somebody who's willing to fight, fight for you and put their money where their mouth is.

00:22:10:13 - 00:22:27:08
Unknown
And and you're not alone. There's I we even got an intro earlier tonight of somebody who said, hey, we've been dealing with this privacy, privacy litigation, and there's somebody else who's being proactive. But I notice their banner doesn't work. I would love for you to help protect them because you've done such a good job for us. Mm hmm.

00:22:27:12 - 00:22:47:22
Unknown
I think proactive is the right keyword there. And to our listeners, be proactive and then you will be safe. But can people go to find out more about you? Yeah, so definitely so I welcome everybody go to Captain Compliance dot com. You can contact us through the site there. We also have Alex Proctor, our chief privacy officer, is proactive on YouTube.

00:22:47:22 - 00:23:12:21
Unknown
He's putting out educational videos all the time. So if there's an email, we can we can share that as well. You can go to YouTube and type in Captain Compliance. Those are the best places. And then we're on LinkedIn as well and teams around pretty much 24 seven. That's where we're missionaries, not mercenaries. So we're here on the block, as you can tell based on that we've got absolutely.

00:23:12:21 - 00:23:32:01
Unknown
So I would put all the links in the show notes, as was the new we just want to click away and I hope a lot of people will reach out to you. Richard, thanks so much for giving us a overview for this very important topic. I think I would go back and look at my own business from what I have learned now and probably will have a second talked with what I can optimize on my side.

00:23:32:03 - 00:23:40:22
Unknown
So for our listeners, go out, check it out and leave a comment. If you have questions and I'm sure research will reply to that. Thanks so much for your time today. Thank you.